A modification several months ago introduced a cross-site scripting vulnerability (XSS) in Google Search and possibly in Google Products in an open source JavaScript library.
In Google Search, Japanese security researcher Masato Kinugawa found what seemed to be XSS vulnerability. Such a safety hole could represent a serious risk and it could be extremely helpful in phishing and other forms of attacks for malicious actors. The XSS vulnerability was introduced by using a library called Closure and its failure to properly sanitize user input, according to an analysis carried out in LiveOverflow.
Closure is a comprehensive Google JavaScript library for complex and scalable web applications.
この前、Googleで見つけたDOMXSSを@LiveOverflowさんが動画で解説してくださいました!解説は英語ですが、図が豊富でとってもわかりやすいので、発展的なXSSに興味がある人はぜひ見てみてください。https://t.co/3wtpahOL4j
— Masato Kinugawa (@kinugawamasato) 31 March 2019
The technology giant has created and still uses the library open source for many of its applications, including search, maps and docs. Apparently on 26 September 2018, the vulnerability was introduced when somebody reportedly removed sanitation because of certain user interface problems. It was discussed in September 2018 on 22 February 2019 when the change took place.
Soon after Google learned of its existence, it is said that it patches the vulnerability. Developers ‘ comments on the rollback confirmed that the HTML sanitizer issue was related and that the Google Web Server (GWS) software has a XSS flaw.
While analyzing the flaw, LiveOverflow stated that the security bug probably had a bearing upon other Google products using the Closure library. It is unclear whether Google has given this vulnerability a bug bounty.
